Experiment No. 05
Title: Survey of wireless attack tools focusing on 802.11.
Object: Familiarize with the wireless attack tools for three major categories:
confidentiality, integrity, and availability.
Description:
There are three main principles to computer network security. They are confidentiality,
integrity, and availability. All three concepts are needed, to some extent, to achieve true
security. Not using all three concepts in the security of the network will leave it
vulnerable to attacks. Attackers strive to compromise one or more of the three main
security principles.
The basic definition of confidentiality is assuring that sensitive information will be kept
secret and access limited to the appropriate persons. In network security, confidentiality
can be achieved with data encryption. Data encryption scrambles plaintext data into
unreadable cipertext data.
Integrity can be defined as unimpaired, complete, undivided, or unbroken. In network
security this means that the message has not been tampered. No portion of the message
has been removed, rearranged, or changed. The basic security measure to ensure integrity
is to generate a cryptographic checksum of some sort to guarantee the message is
unaltered.
Finally, availability means that data should be accessible and usable upon demand by an
authorized user or process. An availability attack consists of some sort of Denial of
Service (DoS) attack. A DoS attack prevents the user or device from accessing a
particular service or application.
Wireless Attack Tools:
Many of the wireless attack tools are developed to compromise 802.11 networks. The
popularity and widespread use of Wi-Fi gives the attacker a platform in which they can
cause the most disruption.
Confidentiality Attacks:
The confidentiality attacks attempt to gather private information by intercepting it over
the wireless link. This is true whether the data is encrypted or sent in the clear. If the data
is encrypted, these attacks would include breaking the encryption and finding the key.
Additionally, eavesdropping, key cracking, access point (AP) phishing, and man in the
middle attacks are including in this category.
Eavesdropping is intercepting or sniffing the transmitted network traffic. This is
capturing the bits transmitted on the physical layer, but many commercial programs will
format the data into a user friendly way. This makes understanding the data much easier.
If encryption is used, one will only see the encrypted data while sniffing. There are other
tools available to crack certain encryption techniques. These tools also are considered
confidentiality attack tools.
Beyond simply capturing and displaying the packets from the physical layer, many of the
sniffing programs have filters and plugins installed that have the ability to manipulate the
data creating a man in the middle attack. For example, a sniffing program can have a
filter running that will replace the https (secure website) with http (non-secure). As a
result, the victim's authentication would appear in the clear across the physical layer. The
eavesdropper would be able to see both the username and password for the login.
Figure 1 - Man in the Middle Attack
There are a variety of confidentiality attacks, but they all have one common goal - to
gather the private information of a user. One or more of the attacks can be used. These
include eavesdropping or sniffing, man in the middle attacks, and AP phishing.
Confidentiality Attack Tools:
For eavesdropping a commonly used tool is Wireshark, formally Ethereal. It is a basic
sniffing program that will display all network traffic both wired and wireless. It is a
multi-platform, multi-protocol analyzer with hundreds of protocols supported. It includes
support for 802.11 and Bluetooth and also includes decryption support for many popular
wireless security protocols including IPsec, Internet Security Association and Key
Management Protocol (ISAKMP), Kerberos, Secure Sockets Layer, Wired Equivalent
Privacy (WEP), and Wi-Fi Protected Access (WPA)/WPA2.
Wireshark will display the captured data in an easy to read and easy to follow form. It
also has many built in filters and the ability for the user to design their own filters. These
filters can be used to only capture specific data such as a certain IP address, protocol, port
number, etc.
The sniffing programs work well for information that is sent in the clear. For encrypted
information, an encryption key cracker is necessary. For 802.11, WPA2 is the latest
wireless encryption standard that has not been broken yet. WPA and WEP are two
previous encryption schemes with many tools available that will crack their encryption
keys. AirSnort is a well known for WEP and AirCrack is an attack tools for WPA.
Tools such as Hotspotter , APsniff , APhunter , and KNSGEM will scan for wireless AP
beacon signals. Although they are not necessarily attack tools, they can be used to find
the wireless APs.
Type of
Attack
Encryption
Cracker
Tools
Description
AirSnort
Brute force
WEP cracker
AirCrack
WPA cracker
Encryption
Cracker
Ettercap,
dsniff, and
Wireshark
Packet sniffers
with traffic
analysis. These
also include
tools to break
encryption.
Packet
sniffing
Hotspotter,
APsniff,
APhunter,
and
KNSGEM
Discovers
WLANs by
listening for
AP locator
beacon signals
transmitted from
APs.
HermesAP
Used to setup an
Evil Twin
and OpenAP rogue AP
OpenWRT
and
HyperWRT
Replacement
Fake AP
firmware so APs
creation
can be
programmed to
execute attacks.
Integrity Attacks:
The idea of an integrity attack is to alter the data while in transmission. Remember the
integrity of the data means that it has not been altered in any way. This includes data
deletion or addition, frame deletion or addition, or replay attacks.
One integrity attack is frame injection. This is when an attacker will inject their own
Ethernet frames in the middle of the transmission. This can be used in a variety of ways
to attack the user. The user can be misled into accepting frames that it did not intend. All
the major Internet browsers were vulnerable to a frame injection attack. This
vulnerability has been fixed, but it does give an example on how this can be used as an
attack. An attacker could inject frames into a transmission to display their content with
the legitimate outer web page frames of another company. For example, a user would
access their banking web page and it would look like their legitimate web page, but the
attacker has injected Ethernet frames so that even though the web page looks legitimate it
is not. When the user attempts to login all the login information can be recorder by the
attacker.
Similarly an attacker can delete or jam the data being transmitted. For example, an
attacker could jam the wireless signal from reaching its intended target and also provide
acknowledgments (ACKs) back to the source. The data would never reach the intended
target, but the sender would have no idea, since it would see the ACKs.
Data replay is yet another attack on data integrity. This involves the attacker capturing
authentication information and saving it for later use. This can be used for 802.1X
Extensible Authentication Protocol (EAP) or for 802.1X Remote Authentication Dial-In
User Service (RADIUS) authentications. Once the attacker has captured and saved the
authentication information, it will monitor the traffic for another authentication. Then it
will inject those frames instead of the legitimate authentication frames and essentially
gaining access to a system.
Tools
Description
Type of
Attack
Airpwn
Allows for generic
802.11 packet
injection
802.11
packet
injection
File2air
Allow the specified
802.11
file be used as
replay
packet payload.
AirJack
and
Simple-
Allows previously
802.11
captured packets to
replay
be injected back into
replay
the network.
Availability Attacks:
Availability attacks are most simply described as DoS attacks. DoS focuses on attacking
a specific part of the network so that it is unreachable. Network availability means that
any point the network is able to provide the requested information to the authorized user.
DoS attacks prevent this information from reaching the user.
There are several types of DoS attacks; one is flooding. Flooding is overloading the
network with a certain type of packet so that the wireless AP is busy serving all the
flooding packets that it cannot serve any legitimate packets. For example, an 802.11
beacon flood is where thousands of illegitimate beacons are generate to make it difficult
for individual machine to find the legitimate AP. Another is an 802.11 authentication
flood where thousands of authentications are sent from random Media Access Control
(MAC) addresses filling up the AP's authentication table and making it hard for a
legitimate user to gain access. This gives a small example of the types of flooding attacks
someone could execute on a wireless network.
Figure 2 - Beacon Flooding
The list of attack tools for availability is similar to that of integrity. Many of the same
tools can be used because of the similarity in the attacks. Many of the flooding attacks
can be accomplished by using the injection attack tools on top of the flooding tools. To
execute an authentication flooding attack, you could use frame injection to inject many
authentication frames from different MAC addresses. This will fill up the authentication
table of the AP and make it difficult for a legitimate user to connect.
There are, however, some specific tools available to launch these attacks that are separate
from the integrity attack tools. FakeAP generates thousands of 802.11 APs or more
specifically it generates thousands of 802.11 beacon signals that can be used for the
beacon signal flooding attack.
There are a variety of availability attacks. All of them implement a DoS attack of some
sort whether it is radio frequency (RF) jamming or network flooding. There also are
many different flooding attacks with just a few examples given here. Flooding attacks
promote the vulnerabilities of the protocols.
Type of
Attack
Tools
Description
FakeAP
Generate thousands
Flooding
of 802.11 beacon
DoS
signals.
Void11
Can be used to
execute
deauthenticate,
authenticate, and
association
flooding attack.
Many
commercial
tools
available
Jams the RF signal
so that it cannot be RF
distinguished by a jamming
legitimate device.
Flooding
DoS
Lab Task:
Read the manual carefully and be prepare for the viva of this manual.